“You cannot endow even the best machine with initiative; the jolliest steamroller will not plant flowers.” Walter Lippmann
In 2017 the AICPA announced a new attestation engagement called SOC for Cybersecurity. DeTech wrote about the technical aspects of the engagement soon after its announcement (see that article here). We have since completed the AICPA’s coursework and conducted SOC for Cybersecurity examination services, and are better equipped to provide insight on this new service. We foresee the SOC for Cybersecurity Examination as becoming a valuable and important attestation report for forward-thinking companies who want to demonstrate their commitment to safe and sound cybersecurity practices to key stakeholders.
Q1: Is a SOC for Cybersecurity examination only for service organizations?
No. Since 2017, the term “SOC” represents a suite of attestation services provided by CPAs. ‘SOC’ stands for System and Organization Controls (it formerly meant Service Organization Control). The Cybersecurity Risk Management Examination, which the AICPA brands as SOC for Cybersecurity, is available to any entity who wants to demonstrate the quality of its cybersecurity risk management program.
Q2: With whom can we share our SOC for Cybersecurity Report?
Anyone. Unlike a SOC 1 or SOC 2, which are restricted use reports, the SOC for Cybersecurity deliverable is a general use report. The final report can be presented to analysts, investors, current and prospective customers, vendors, on your website or in marketing materials. The entity’s management or the issuing CPA have the option to restrict the report to specific parties, but under normal circumstances the report may be freely distributed, just like the financial audit results of a public company.
Q3: Is a SOC for Cybersecurity some kind of penetration or vulnerability assessment?
No. Penetration tests and vulnerability assessments are valuable services, but the deliverable for those services are systematic results identifying technical weaknesses in the entity’s infrastructure. A SOC for Cybersecurity report is intended to address the cybersecurity risk management program for an entire entity. One example of a control identified in the program may be the periodic vulnerability assessment performed by a third party, which contributes to the overall cybersecurity risk management program.
Q4: What is included in a SOC for Cybersecurity report?
A SOC for Cybersecurity report includes three components:
- Management’s description of its cybersecurity risk management program. The description contains the company’s Cybersecurity Objectives, discussion about the cybersecurity risk management program, and a description of the controls in place to meet the cybersecurity objectives. The description should provide enough details to give the reader sufficient details about the cybersecurity controls, but not so much detail to give potential attackers undue details about the company’s cybersecurity systems.
- A CPA’s opinion letter, which opines on two assertions: the entity’s presentation of its description of its cybersecurity risk management program in accordance with the description criteria, and an opinion on whether the controls were effective to achieve the cybersecurity objectives based on the control criteria. The opinion letter is comparable to the opinion letter provided during a financial statement audit.
- Management’s assertion, which states the entity has presented its description in accordance with the description criteria, and the controls within the cybersecurity risk management program were effective to achieve the cybersecurity objectives.
It is also worth noting what a SOC for Cybersecurity report does not include. If you’re familiar with the SOC 1 and SOC 2, you will recognize the voluminous matrix of controls, tests of controls, and service auditor’s result of their tests—usually the last section of the report. The SOC for Cybersecurity does not include this detailed matrix.
Q5: How do I know if our company is ready for a SOC for Cybersecurity examination?
Groundwork must be laid to properly plan for a SOC for Cybersecurity exam. Before the exam period begins you would undergo a Readiness Assessment—a consulting engagement which assists the company in preparing the description, cybersecurity objectives, and supporting controls.
Q6: Why would we choose an accounting firm for cybersecurity services?
Year after year, the top IT and cybersecurity companies include public accounting and consulting firms. The public accounting industry is well positioned to match cybersecurity threats with business risk, and a well-staffed public accounting firm with the requisite expertise will provide the same level of integrity, objectivity and independence to cybersecurity services as financial auditing services.
Bryan is a Partner at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.